Safeguard
Tag

cosign

Safeguard articles tagged "cosign" — guides, analysis, and best practices for software supply chain and application security.

33 articles

Container Security

How to Sign Container Images With Cosign: A Complete Guide

A practical walkthrough for signing container images with Cosign using keyless OIDC, verifying signatures, and enforcing policy in your Kubernetes cluster.

Jun 10, 20245 min read
Guides

How to Generate an SBOM in a GitLab CI Pipeline

A working .gitlab-ci.yml for SBOM generation with Syft: CycloneDX report artifacts, a Grype scan stage, and Cosign attestations pushed next to the image.

Mar 3, 20245 min read
DevSecOps

How to Set Up Sigstore in Your Build Pipeline

Wire Sigstore into GitHub Actions end-to-end: OIDC identity, Cosign signing, Rekor transparency, and policy-controller enforcement — with working snippets.

Feb 28, 20244 min read
Container Security

How to Enforce Cosign Signatures in Kubernetes Admission

A hands-on tutorial for blocking unsigned container images at the Kubernetes admission layer using Cosign, Sigstore policy-controller, and keyless verification.

Feb 15, 20245 min read
Container Security

Container Image Signing with Cosign: A Practical Deep Dive

Cosign makes signing and verifying container images straightforward. Here's everything you need to know to implement it in your pipeline.

Nov 8, 20226 min read
Open Source Security

Sigstore Reaches GA: Free Software Signing for Everyone

Sigstore's general availability in October 2022 made cryptographic signing accessible to every developer. Here's why this is a watershed moment.

Oct 15, 20226 min read
Supply Chain Security

OCI Artifact Signing Standards: Making Sense of the Landscape

Container image signing has gone through multiple iterations. Here is where the OCI standards stand now and what you need to implement.

May 12, 20225 min read
Best Practices

A First-Principles Guide to Artifact Signing in 2022

Artifact signing is having a moment, but most teams skip the fundamentals. Here is the first-principles case for why you sign, what you sign, and who verifies.

Mar 20, 20226 min read
DevSecOps

Sigstore and Cosign: Software Signing for the Rest of Us

Sigstore makes software signing accessible by eliminating the pain of key management. Here's how Cosign, Fulcio, and Rekor work together to verify software integrity.

Oct 25, 20216 min read
cosign (Page 3) — Safeguard Blog